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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 

after SIX (6) MONTHS from the mailing date of this communication. | 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory penod will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )|E1 Responsive to comnnunication(s) filed on 24 June 2004 . 
2a)lEI This action is FINAL. 2b)n This action is non-final. 

3) 0 Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) H Claim(s) 1-20, 22-47 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) 13 Claim(s) 1-20, 22-47 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) n The drawing(s) filed on is/are: a)^ accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121(d). 

1 1) 0 The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)n Some * c)^ None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1. An amendment was received on 24 June 2004. Claims 1, 5, 8, 10, 13, 17-20, 
22-24, 26-39, and 43-44 have been amended. Claim 21 has been canceled. Claims 
45-47 have been added. Claims 1-20 and 22-47 are pending in the present application. 

Specification 

2. The objection to the disclosure for minor informalities is withdrawn in light of 
Applicant's amendments to the specification. 

Claim Objections 

3. The objection to Claims 20 and 24 under 37 CFR 1 .75(c) and the objection to 
Claim 30 for minor informalities are withdrawn in light of Applicant's amendments to the 
claims. 

Claim Rejections - 35 USC § 112 

4. The rejection of Claims 13-14, 18-20, 23, 26-27. 32-37, and 43 under 35 U.S.C. 
112, second paragraph, is withdrawn in light of Applicant's amendments to the claims. 
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Response to Arguments 

5. Applicant's arguments filed 24 June 2004 have been fully considered but they are 
not persuasive. 

Applicant argues that independent Claims 1 , 8, and 10 of the present application 
are not rendered obvious over combinations of Geiger, US Patent 6073142, in view of 
Sandhu, "Transaction Control Expressions for Separation of Duties" or "Lattice-Based 
Access Control Model". However, the Examiner believes that the combinations as set 
forth in the previous Office action do fairly suggest the invention claimed in the present 
application. Specifically in reference to Claim 1, the combination of Geiger and Sandhu. 
"Transaction Control Expressions for Separation of Duties" does suggest a method for 
enforcing security policies (Geiger, column 3, lines 28-30; Sandhu, pg. 282, column 1) 
including defining a first action as a condition and determining that a second action 
should not take place if the condition occurs (Sandhu, pg. 282, column 2); storing a rule 
(Geiger, Rule Bases 270 and 289) precluding the second action (Sandhu, pg. 282, 
column 2); and placing the rule into the data access management software (Geiger, 
Rule Engines 210 and 283; column 6, line 58-column 7, line 3). Similarly, the same 
combination fairly suggests the apparatus of Claim 8, and the combination of Geiger in 
view of Sandhu, "Lattice-Based Access Control Model" fairly suggests the method of 
Claim 10. 

Further, Applicant argues that the claimed invention is distinguished from the 
prior art in that the prior art solutions must test for the condition every time the second 



Application/Control Number: 09/495,509 Page 4 

Art Unit: 2137 

action is attempted. However, Geiger discloses that a rule can be based on the state of 
the system itself (column 6, lines 17-24) and that once a rule is defined, the processing 
phase operates as its own process concurrent with and independent of rule definition 
(column 12, lines 23-31). That is, each time a second action is attempted, the system is 
already aware that the condition defined in the rule is in existence. Once the rule is in 
existence, the second action will never occur once the first action has occurred because 
of the established rule. 

Based on this rationale, the Examiner maintains the rejection as set forth below. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. Claims 1-9, 30, 32-33, 36-37, 40-42, and 45-46 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Geiger et al, US Patent 6073142, in view of Sandhu, 
"Transaction Control Expressions for Separation of Duties." 

In reference to Claims 1 , 2, and 7, Geiger discloses a method using a database 
of rules to implement organizational policies (column 3, lines 28-30) acting on various 
data objects, including database records and information (column 2, lines 56-67 and 
column 12, lines 35-45). Geiger describes the construction of rules (column 12, line 52- 
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column 17, line 2). More specifically, "Each rule describes a specific action to be taken 
when an attribute of a ... data object satisfies an operator with respect to a user-defined 
value" (column 1 3, lines 18-21 ). However, Geiger does not give examples of a mle 
used to specifically preclude a second action upon the occurrence of a first action 
defined as a condition, nor does Geiger use the specific example of separation of duties 
as an organizational policy. 

Sandhu teaches that "Separafion of duties is a fundamental technique for 
prevention of fraud and errors" (pg. 282, column 1). An example of separafion of duties 
is given wherein a check is prepared by a clerk, the check is approved by a supervisor, 
and the check is issued by a second clerk. This is done to ensure that "different users 
have responsibility and authorizafion" for each step of the process (pg 282, column 2). 
The separation of dufies means that, in this example, "it will take collusion of two clerks 
and a supervisor to perpetrate fraud" (pg 283, column 1) whereas, without separafion of 
duties, a single person would be more able to commit fraud. The example of preparing, 
approving, and issuing a check is analogous to Claim 7, wherein the rule that is stored 
and utilized in the system prevents the same user from both ordering goods or services 
(a preliminary step to preparing the check) and paying for the goods or services 
(approving and issuing the check). These benefits of the separation of dufies are well 
known, and it would be obvious to automate the enforcement of this policy once the 
remainder of the system has been automated. 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invenfion was made to modify the system of Geiger by using its system of rules 
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to automate an implementation of a policy of separation of duties, as described by 
Sandhu, in order to prevent fraud and errors (see Sandhu, pg. 282). 

In reference to Claim 5, Geiger discloses an expiration date for a message 
(column 23, line 53-column 24, line 5). Geiger further discloses rules that can state that 
an action is to be taken when "the time parameters... are satisfied" (column 24, lines 
61-64, with a specific example in lines 64-67). 

In reference to Claim 6, Geiger discloses that, upon returning a message to a 
user, the user is notified, via email, of the reason that the message was returned 
(column 16, lines 10-15). 

In reference to Claims 3 and 4, Sandhu discloses a further limitation for 
separation of duties: once an action has been performed by one user, a second action 
can only be performed by certain other users. Specifically, for the example of 
preparing, approving, and issuing a check, after a clerk has prepared the check, only a 
supervisor may approve the check. Similarty, once the supervisor has approved the 
check, only a second clerk may issue the check. If a clerk attempts to approve the 
check, or a supervisor attempts to approve the check, then the system should reject the 
attempt (page 283, columns 1-2). Specifically in reference to Claim 4, in the example 
described, the roles of the two users are different, specifically supervisor and clerk. 

In reference to Claim 36, it would be obvious not to load a rule until a user in the 
role specified by the rule logs on in order to conserve system memory resources by not 
loading the rule unnecessarily. 
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Similarly, in reference to Claim 37, it would be obvious only to test a rule for a 
user in the role specified by the rule, in order to conserve processing resources by not 
testing the rule unnecessarily. 

In reference to Claim 32, it would be obvious not to load a rule until a user 
specified by the rule logs on in order to conserve system memory resources by not 
loading the rule unnecessarily. 

In reference to Claim 33, it would be obvious only to test a rule for a user 
specified by the rule, in order to conserve processing resources by not testing the rule 
unnecessarily. 

In reference to Claim 40, the security policy is separation of duties, as described 
above in reference to Claim 1 . 

In reference to Claim 41 , compliance to regulation is generally a legal 
requirement for the company administering such a system. It would be obvious to 
modify the combined system of Geiger and Sandhu, described in reference to Claim 1 , 
to include a policy of compliance to regulation in order to avoid the legal repercussions 
of a failure to comply. 

Further, in reference to Claim 42, the benefits or requirements of privacy of data 
are well known. It would be obvious to modify the combined system of Geiger and 
Sandhu, described in reference to Claim 1 , to include a policy of privacy of data in order 
to gain the benefits of privacy. 

In reference to Claim 45, Geiger discloses generating rules in response to a 
condition (column 17, lines 36-39). 
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In reference to Claim 8, Geiger discloses a system that includes a file of rules 
(Figure 2, Rule Base 270, and Figure 3, Gatekeeping Rule Base 289) and means for 
reading said file, locating said rules, and integrating said rules into the system (Figure 2, 
Rule Engine 210, and Figure 3, Rule Engine 283). However, Geiger does not give 
examples of rules used to prevent a specified data transaction by a user after a user 
has effected a specified transaction to modify data. 

Sandhu teaches that "Separation of duties is a fundamental technique for 
prevention of fraud and errors" (pg. 282, column 1). An example of separation of duties 
is given where the same individual cannot be responsible for preparing, approving, and 
issuing a check, as described with reference to Claims 1 , 2, and 7 above. The benefits 
of the separation of duties are well known, and it would be obvious to automate the 
enforcement of this policy once the remainder of the system has been automated. 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the system of Geiger by using its system of rules 
to automate an implementation of a policy of separation of duties, as described by 
Sandhu, in order to prevent fraud and errors (see Sandhu, pg. 282). 

In reference to Claim 9, Geiger discloses an expiration date for a message 
(column 23, line 53-column 24, line 5). Geiger further discloses rules that can state that 
an action is to be taken when "the time parameters... are satisfied" (column 24, lines 
61-64, with a specific example in lines 64-67). Further, it would be obvious to eliminate 
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rules from the system once there is some condition or time period indicating that a rule 
is no longer valid in order to keep system resources available. 

in reference to Claim 30, Sandhu describes that a history of the objects acted 
upon is created (pg 283, column 2) and that separation of duties can be enforced by 
keeping such history information (pg 284, column 2). Geiger discloses that the rules 
may be stored "by any of a number of useful implementing data structures" (column 16, 
lines 42-45). Further, it would be obvious to store eliminated rules for record-keeping 
purposes, and also in the event that a rule might need to be re-used. 

In reference to Claim 46, Geiger discloses generating rules in response to a 
condition (column 17, lines 36-39). 

8. Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over Geiger 
in view of Sandhu as applied to claim 1 above, and further in view of Scannell, et al, US 
Patent 5377354. 

in reference to Claim 16, Scannell discloses that a rule can be used as a 
template for other rules, in order to create a "new but similar rule" (column 8, lines 41- 
44). It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the combined system of Geiger and Sandhu, as 
described above in reference to Claim 1 , by allowing for the use of templates for rule 
creation, in order to create "new but similar" rules, as taught by Scannell (see Scannell, 
column 8, lines 41-44). 



Application/Control Number: 09/495,509 Page 10 

Art Unit: 2137 

9. Claims 10, 13-15, 17-18, 23-24. 26-27, 31, 34-35, 43, and 47 are rejected under 
35 U.S.C. 103(a) as being unpatentable over Geiger, US Patent 6073142, in view of 
Sandhu, "Lattice-Based Access Control Models." 

In reference to Claim 10, Geiger discloses a system in which rules are stored 
(Figure 2, Rule Base 270, and Figure 3, Gatekeeping Rule Base 289) and included in 
the system (Figure 2, Rule Engine 210, and Figure 3, Rule Engine 283). However, 
Geiger does not give examples of rules used to prevent a known party from accessing 
information on the condition that the party has knowledge of a particular set of 
information. 

Sandhu teaches that the objective of a Chinese Wall policy "is to prevent 
information flows that result in a conflict of interest for individual consultants" (pg. 17, 
column 2). For example, a consultant should not have access to information about two 
companies of the same type, such as two banks, "because such information creates a 
conflict of interest in the consultant's analysis and is a disservice to clients" (pg. 17, 
column 2). After a consultant has accessed information about one bank, the consultant 
is prevented from accessing information about another bank. Further, this prevention of 
access can be removed once information is no longer sensitive, but "should persist long 
enough to avoid a conflict of interest" (pg. 17, column 3). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the system of Geiger by using its system of rules 
to automate an implementation of a Chinese Wall policy, as described by Sandhu, in 
order to prevent a conflict of interest (see Sandhu, pg. 17). 
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In reference to Claims 13 and 14, Geiger discloses that, upon returning a 
message to a user, the user is notified, via email, of the reason that the message was 
returned (column 16, lines 10-15). 

In reference to Claim 15, it is well known that if information has been made 
public, it is no longer sensitive. Further, Sandhu describes that the denial of access to 
information "should persist long enough to avoid a conflict of interest" (pg 17, column 3), 
that is, after a predetermined time, the infonnation would no longer be considered 
sensitive. 

In reference to Claim 17, Geiger discloses that messages may be sent to a 
"gatekeeper" for further review, if certain conditions are met and certain rules apply (see 
Abstract; Figures 1,3, 4A, and 4B; and column 3, lines 9-19, for example). 

In reference to Claim 18, Geiger further discloses that, upon returning a message 
to a user, the user is notified, via email, of the reason that the message was returned 
(column 16, lines 10-15). 

In reference to Claims 23, 24, 26, 27, and 43, Geiger discloses that messages 
may be sent to a "gatekeeper" for further review, if certain conditions are met and 
certain rules apply (see Abstract; Figures 1,3, 4A, and 4B; and column 3, lines 9-19, for 
example). Specifically in reference to Claims 23 and 24, Geiger discloses that the 
gatekeeper is notified, via email, of the reason that the message was sent on to the 
gatekeeper (column 16, lines 10-15). Further, Geiger discloses that a message may be 
sent on to another employee if a message matches certain properties (column 3, lines 
53-61 ). Specifically in reference to Claims 26 and 27, Geiger discloses that a message 
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may be forwarded to a specific individual based on matching certain properties (column 
3, lines 53-61 , and column 7, Table 7, for example) where this could be the user's 
manager or an employee responsible for data security. Specifically in reference to 
Claim 43, Geiger discloses that the gatekeeping function may be an automated 
computer process (column 24, lines 6-14). 

In reference to Claim 31 , Geiger discloses that the rules may be stored "by any of 
a number of useful implementing data structures" (column 16, lines 42-45). Further, it 
would be obvious to store eliminated rules for record-keeping purposes, and also in the 
event that a rule might need to be re-used. 

In reference to Claim 34, it would be obvious not to load a rule until a user 
specified by the rule logs on in order to conserve system memory resources by not 
loading the rule unnecessarily. 

In reference to Claim 35, it would be obvious only to test a rule for a user 
specified by the rule, in order to conserve processing resources by not testing the rule 
unnecessarily. 

In reference to Claim 47, Geiger discloses generating rules in response to a 
condition (column 17, lines 36-39). 

10. Claims 11-12, 19-20, 22, 25, 28-29, 38-39, and 44 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Geiger in view of Sandhu as applied to claim 
10 above, and further in view of Scannell, et al, US Patent 5377354. 



Application/Control Number: 09/495,509 Page 13 

Art Unit: 2137 

In reference to Claim 1 1 , Scannell discloses that a rule can be used as a 
template for other rules, in order to create a "new but similar rule" (column 8, lines 41- 
44). It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the combined system of Geiger and Sandhu, as 
described above in reference to Claim 10, by allowing for the use of templates for rule 
creation, in order to create "new but similar" rules, as taught by Scannell (see Scannell, 
column 8, lines 41-44). 

In reference to Claim 12, a party known to the system will in general be assigned 
a predetermined role; for example, Sandhu describes users in a consultant role (pg. 17, 
column 2). 

In reference to Claim 38, it would be obvious not to load a rule until a user in the 
role specified by the rule logs on in order to conserve system memory resources by not 
loading the rule unnecessarily. 

Similarly, in reference to Claim 39, it would be obvious only to test a rule for a 
user in the role specified by the rule, in order to conserve processing resources by not 
testing the rule unnecessarily. 

In reference to Claim 19, Geiger discloses that messages may be sent to a 
"gatekeeper" for further review, if certain conditions are met and certain rules apply (see 
Abstract; Figures 1,3, 4A, and 4B; and column 3, lines 9-19, for example). 

In reference to Claim 20, Geiger further discloses that, upon returning a message 
to a user, the user is notified, via email, of the reason that the message was returned 
(column 16, lines 10-15). 
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In reference to Claims 22, 25, 28, 29, and 44, Geiger discloses that messages 
may be sent to a "gatekeeper" for further review, if certain conditions are met and 
certain rules apply (see Abstract; Figures 1,3, 4A, and 4B; and column 3, lines 9-19, for 
example). Specifically in reference to Claims 22 and 25, Geiger discloses that the 
gatekeeper is notified, via email, of the reason that the message was sent on to the 
gatekeeper (column 16, lines 10-15). Further, Geiger discloses that a message may be 
sent on to another employee if a message matches certain properties (column 3, lines 
53-61 ). Specifically in reference to Claims 28 and 29, Geiger discloses that a message 
may be forwarded to a specific individual based on matching certain properties (column 
3, lines 53-61, and column 7, Table 7, for example) where this could be the user's 
manager or an employee responsible for data security. Specifically in reference to 
Claim 44, Geiger discloses that the gatekeeping function may be an automated 
computer process (column 24, lines 6-14). 

Conclusion 

1 1 . Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
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TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Zachary A Davis whose telephone number is (703) 305- 
8902. The examiner can normally be reached on weekdays 8:30-6:00, alternate 
Fridays off. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Andrew Caldwell can be reached on (703) 306-3036. The fax phone 
number for the organization where this application or proceeding is assigned is 703- 
872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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